How behavioral biometrics can ensure compliance with PSD2 – and any regulation that impacts customer data protection
This is a guest post by Jordan Blake, VP of Products at BehavioSec.
At first glance, the Payment Services Directive 2 (PSD2) appears to only affect companies which conduct customer transactions in Europe. But, with a closer look, we can see how PSD2 represents a wave of regulatory action that will likely enforce a higher level of authentication for all organizations – no matter where in the world they do business.
As of this September, PSD2 requires the adoption of strong customer authentication (SCA) practices for online payments. Providers must enhance the protection of customer data through authentication which includes at least two factors from three different categories: “Knowledge,” or using something that only the user knows, such as a password or PIN; “possession,” or using something that only the user possesses, such as a key; and “inherence,” or the unique attributes of an individual.
It’s not yet clear whether organizations will successfully comply. As of late last year, three-quarters of online merchants in Europe weren’t aware of the pending requirements, according to research from Mastercard. Of the one-quarter remaining, 24 percent have no plans to support the SCA standards. Perhaps this is why the European Banking Authority (EBA) is granting (limited) extensions for providers to get SCA compliant, under certain, time restricted circumstances.
It would be in the best interest of all companies – not just the European merchants from the Mastercard study – to make sure they’re compliant. As indicated, PSD2 hardly serves as a one-off. Other mandates like the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are also firmly focused on the protection of customer data. So it’s inevitable that all businesses with a stake in online transactions will need to comply with these regulations, or very similar ones. Senior corporate decision-makers can either bury their heads in the sand until they’re forced into action (which is not advisable) or get ahead of the curve (which is).
After all, getting ahead of the curve here amounts to getting ahead of the competition. Via compliance, companies will improve themselves as a whole by establishing better trust with their customers. This, in turn, will enrich brand reputation and loyalty, leading to increased sales and an expanding customer base.
In the case of PSD2, they’ll need to carefully consider how to deploy effective authentication from at least two of the three specified categories of “knowledge,” “possession” and “inherence.” Inherence refers to biometrics, which is emerging as a leading authentication pathway that brings the promise of greater protection compared to traditional methods such as passwords. Even better, a growing advancement within biometrics – behavioral biometrics – is proving itself as an innovation which delivers superior security while improving the customer/user experience.
Behavioral biometrics represents an ideal technology for regulations such as PSD2 because it combines individual physical attributes with traditional log-in credentials, offering dramatically enhanced defenses from account hijacking and fraud. It enables organizations to invisibly and unobtrusively authenticate users by validating the manner in which they physically interact online. These solutions can do this because they profile the way individual users interact with their devices, including the way they hold, move, swipe and type on mobile phones, and navigate with touchscreens, touchpads, mice and physical keyboards on larger devices.
Armed with these so-called behavioral profiles, these solutions can selectively block suspicious activities and transactions or direct them to step-up authentication or targeted monitoring without negatively impacting productivity of legitimate users. Because it is extremely difficult for malware or even human intruders to accurately impersonate authentic interactions, solutions can detect a would-be fraudster “typing differently” for instance and immediately employ the appropriate response.
Given those capabilities, investment in the solutions is expected to soar: The behavioral biometrics market is projected to grow to $3.9 billion by 2025, up from $720.5 million two years ago, according to a forecast from Allied Market Research. With the investment, businesses will discover advantages that go beyond just compliance, thanks to these distinct qualities of behavioral biometrics:
— It builds tremendous trust with customers because it cannot be stolen. Hackers, of course, are very good at stealing passwords. So it’s largely futile to spend countless dollars strictly on password-based tools, especially since customers keep re-using the same passwords across a broad range of online services. If fraudsters compromise thousands of passwords in a more vulnerable, transactional environment, it’s likely they can execute similar compromises against even the highest state of password protection.
In contrast, customers’ physical handling/interactions with their mobile devices, keyboards, mice, touchscreens, etc. are uniquely their own. Hackers cannot “steal” these inherent behaviors, which makes them ideal for individual profiles that behavioral biometrics solutions use for authentication.
— It helps lead organizations to successful digital transformations and winning customer experiences. The digital transformation is challenging enterprises to create frictionless online experiences for customers, as well as partners in the supply chain. Obviously, asking people to constantly memorize and input passwords and/or carry tokens around with them does not make for a frictionless experience. Behavioral biometrics removes these burdens, while ensuring that only those who are allowed to pursue a transaction can actually do so. What’s more, unlike traditional biometrics such as fingerprint technologies, there is no need for additional sensor devices to identify and approve of the user and as a result no PII an attacker might steal. All authentication takes place on the keyboard, touchscreen and mouse – the customer/partner doesn’t necessarily know (or care) that it’s even happening at all. And unlike fingerprints or other static biometrics, user behavior can’t be misappropiated by cybertheives.
Ultimately, PSD2 and additional standards (both present and future) are about answering this question about customers: “Are you who you say you are?” Organizations should welcome such challenges, because they should want to know this during transactions/interactions, as opposed to hoping they know.
With behavioral biometrics, there is no ambiguity. You are you. The way you dance with your significant other, shake a business associate’s hand and clutch a shopping bag … It is all uniquely yours and strangers cannot steal it to use as their own. The same reality applies to the way you interact with your digital devices, and the inability of hackers to steal it to pull off a breach. Given the assuredness, companies would greatly benefit by directing their investment accordingly – not just to comply, but build new levels of brand trust/loyalty and customer experiences.
About the author
As BehavioSec’s VP of Products, Jordan Blake drives the vision and growth of cyber safety solutions while in addition to ensuring quality and client satisfaction.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.